Security Articles

PCI Compliance and You

Whether your own business accepts credit cards or you give your own card information to others, such as your MLS or Association, there is a set of rules you need to be aware of called "PCI Data Security Standards". PCI stands for "Payment Card Industry" and includes the five major credit card companies. These companies have all agreed that any company that stores, processes or transmits credit card or debit card data must comply with a rigorous set of information security guidelines.

By the end of 2007, any organization that accepts payment card transactions was supposed to be in compliance with the standards – and if not, the credit card companies (or the bank through which the cards are processed) could assess fines on non-compliant companies and even disallow further credit card transactions until PCI Data Security Standards compliance has been achieved.

There are different levels of PCI compliance required, depending on your type of business. Level 1 includes companies that process over $6 million dollars of credit card transactions per year, or that have experienced an information security breach. These companies must pass a special yearly security audit by the card company or bank internal auditor or undergo a yearly audit performed by a Qualified Security Assessor (QSA), as well as undergoing a quarterly network security scan with an Approved Scanning Vendor (ASV). Most companies that Clareity works with in the real estate industry are only Level 2 ($1-6 million/year) or Level 3 ($20,000-$1 million/year), and achieving PCI compliance for these companies is easier – involving an annual self-assessment questionnaire and a quarterly security scan performed by an approved scanning vendor.

What does this mean to you? If you provide your credit card to others, you may want to find out if they are PCI compliant. If your organization takes and processes credit cards, either through software hosted by your organization and/or a 'point of sale' credit card device, you had best ensure that your company and any application service providers it uses related to credit card processing are PCI compliant. If not already compliant, it's time to become PCI compliant quickly - the deadline for PCI compliance is already long past and your company could be facing fines and a card processing service interruption at any time.

In 2007 Clareity Security, recognized the difficulty the real estate industry was having achieving PCI compliance, and entered into an exclusive arrangement with the most popular and highly regarded Approved Scanning Vendor, ScanAlert, to resell the means to achieve PCI compliance to the real estate industry. This service includes the required self-assessment questionnaire and quarterly security scans, but is augmented by pro-active telephone and email support from Clareity Security staff and a daily security scan on the most sensitive of servers, allowing companies to achieve HACKER SAFE (a.k.a. McAfee Secure) certification, the logo of which can be displayed on the web site to let customers/consumers know that the utmost care has been taken by the company to protect credit card and other personal information. You may have already seen this logo on the Internet – over 80,000 sites, including sites like Yahoo! and Sony, have implemented the program. More information about the HACKER SAFE program and PCI compliance can be found here: http://www.clareitysecurity.com/hackersafe.cfm.

About the author: Matt Cohen is Clareity Consulting's Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops and leadership retreats around the country on security related topics, and is a well-regarded real estate industry expert on software design, product management, project management, data center reliability, scalability, and security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.

Home Page  |  About Clareity  |  Services  |  Clients  |  Publications  |  Events  |  Contact